On July 20, Microsoft and CISA disclosed a critical zero-day vulnerability (CVE-2025-53770) actively exploited in the wild. This SharePoint vulnerability impacts SharePoint Server 2016, 2019, and Subscription Edition, putting thousands of organizations at risk.
Dubbed “ToolShell,” the cybersecurity exploit allows remote code execution without authentication. More troubling, attackers aren’t just gaining access; they’re achieving persistence even after servers are patched by extracting encryption keys and planting web shells.
It’s a sobering reminder that patching alone doesn’t guarantee safety, especially for organizations relying on centralized, on-prem collaboration systems.
What Happened?
CVE-2025-53770 is an unauthenticated deserialization vulnerability affecting Microsoft SharePoint Server. These vulnerabilities bypass July 2025 patches and enable:
- Remote code execution without authentication
- Theft of ASP.NET machine-keys
- Implant webshells that survive remediation
- Maintain long-term access, even after patches are applied
The vulnerability does not affect SharePoint Online, but many enterprises still run hybrid or fully on-prem environments due to compliance, performance, or cost considerations.
Microsoft has released patches for SharePoint 2019 and Subscription Edition. A fix for SharePoint 2016 is still pending. Read the CISA alert.
The Bigger Problem: Centralization Creates Risk
Even with patches deployed, the nature of this attack highlights a deeper challenge: centralized collaboration infrastructure is inherently vulnerable.
If your SharePoint server is compromised:
- Sensitive files can be exfiltrated
- Malware or implants can propagate across connections
- Backups on the same system may be compromised
- Recovery is often slow, costly, and incomplete
The takeaway? Collaboration resilience is more than keeping SharePoint online. It’s about maintaining trusted, uncompromised access to your data, no matter what happens to your servers.
What To Do Now
Patching is critical, but true resilience means preparing for what happens when patches come too late.
Next steps to protect your environment:
- Patch SharePoint servers immediately
- Rotate your ASP.NET machine keys to fully eliminate attacker access
- Audit your exposure and identify gaps in server-level trust
- Monitor file integrity and versioning to support fast rollback
- Separate data replication from your collaboration platform
- Deploy enterprise-ready peer-to-peer file synchronization with Resilio Active Everywhere
How Resilio Active Everywhere Helps You Recover Faster and Smarter
Our software platform offers a fundamentally different approach to file access, replication, and protection. Instead of relying on a single server or cloud, Resilio Active Everywhere provides data movement with a modern peer-to-peer architecture, directly between endpoints — whether they’re in the cloud, in remote offices, or on-premises.
Here’s how that changes your risk profile in a zero-day scenario:
Decentralized by Design
- Files are replicated between devices without needing to pass through a central SharePoint server
- If a server is breached, endpoints retain clean, usable copies
- No single point of failure
Trusted Encryption and Key Control
- AES-256 encryption protects files in transit
- Encryption keys are never stored in a single compromised location and rotated automatically
- Optional per-node access policies let you isolate or revoke at a moment’s notice
File Integrity & Version Control
- Restore earlier versions from synced endpoints or air-gapped storage
- Propagate only the changed portions of files, saving valuable recovery time
Rapid Isolation & Sync to Clean Hosts
- Redirect sync jobs away from compromised infrastructure
- Instantly sync to replacement servers or cloud VMs
- Resume work with minimal disruption, even during incident response
Real-World Scenario
Imagine your SharePoint 2019 server is exploited on a Friday afternoon. You patch it Sunday, but the attacker has already installed a hidden webshell. The attacker gains long-term access before anyone notices. You applied Microsoft’s patch over the weekend, but questions remain: What was touched? Can you trust the server? How fast can you get your teams back to work?
With Resilio Active Everywhere in place:
- Your SharePoint content has already been continuously synced to other trusted endpoints: user workstations, branch offices, or secure cloud infrastructure
- You spin up a clean environment (on-premises or in the cloud) and use Resilio to pull the latest known-good versions of files from those distributed endpoints
- You resume operations quickly without relying on the potentially compromised SharePoint server as a single point of truth
- You avoid the bottlenecks of traditional restore processes and reduce the risk of propagating tampered files
Want help planning your response? Talk to our data movement experts.
Final Thought
Every zero-day is a reminder: your data is more than what lives on your server. Make sure it survives the next breach, ransomware event, or patch delay with a file infrastructure that’s as resilient as you are.
